Karma aside, gonna ask for help from any corner I can get it from. We've started seeing our entire AD, all users, get locked out instantly/repeatedly for the past hour, and no sign of cause in sight. We know what DC it's originating from, but it's our HQ and 99% of our people are here. All users, even deactivated ones, are getting bad password attempts and getting locked out. Anyone seen anything like this or have a suggestion? Thanks.

Update: Windows Defender is identifying it as Qakbot and Emotep. Standby for symptom description.

We think the found the vector email, a fake invoice that we get all the time and even quarantine for that word, but it must have gotten released without a close look.

Symptoms: Scheduled tasks and Windows services with random numbers as their names, pointed at exes with random names in following locations:

I created my current companies SRP using a Spiceworks write up (I forget the authors name but it was awesome-sauce) and a few weeks of trail and error with my power users assisting me. It's WELL worth the time and effort.

Allegedly bad password attempts from all sorts of computers, but we're about to cross reference to see if it's just User with their computer and they haven't gotten the memo yet and they're just trying random passwords. As useful as the tool is, it's not as pinpoint accurate as we all wish it was.

Update: Looks like multiple computers, but each computer is locking out multiple accounts, very quickly. Even policy for locking out has been disabled, and accounts that should not be able to be locked out are getting locked out. We're lucky we were even in the office when this happened otherwise there wouldn't have been anyone to get us into our own computers.

Allegedly bad password attempts from all sorts of computers, but we're about to cross reference to see if it's just User with their computer and they haven't gotten the memo yet and they're just trying random passwords. As useful as the tool is, it's not as pinpoint accurate as we all wish it was.

Update: Looks like multiple computers, but each computer is locking out multiple accounts, very quickly. Even policy for locking out has been disabled, and accounts that should not be able to be locked out are getting locked out. We're lucky we were even in the office when this happened otherwise there wouldn't have been anyone to get us into our own computers.

Disabled workstation network, got just IT on the server network. On our guest wifi right now just for this. May have stopped, so it's a matter off finding the culprit.

Update: Lockouts have stopped by shutting down workstation network. Essentially people can just go home at this point. We're evaluating the next course for determining culprit(s) out of hundreds of devices on the same network.

Do you have any RDS Servers open? VPN? SQL? Exchange? any other open ports through the main firewall?

I think it's safe to say at this point that it's a workstation that was or is still on site and is either gone or quarantined. We didn't think to tell people to leave laptops here soon enough, many people went home with their laptops, so if we don't find the cause tonight, it could come back in the morning. So for sure we have to put signs on the doors to check all computers in.

This person is a verified professional.

Do you have any RDS Servers open? VPN? SQL? Exchange? any other open ports through the main firewall?

I think it's safe to say at this point that it's a workstation that was or is still on site and is either gone or quarantined. We didn't think to tell people to leave laptops here soon enough, many people went home with their laptops, so if we don't find the cause tonight, it could come back in the morning. So for sure we have to put signs on the doors to check all computers in.

I was so slow at this point on my posting, by the time I pressed reply I saw all the replies.... ranhalt so it is safe to safe I was slow to post.

Still working on it, but identified the payload. It's usually in standard location across local user profiles, but leaves similar files with random names, and scheduled tasks to activate them. It's been found on dozens of computers, with modified times as early as 9:45am and it wasn't until 1pm that we saw massive AD lockouts.

C:\users\(username)\appdata\roaming\microsoft\(random name)

C:\users\(username)\appdata\local\temp\(random name)

Obviously, something like AppLocker or another exe preventer would have stopped this, so that topic is getting reopened. We've been looking for tools to identify and remove these files, but it looks so new that most tools don't have definitions for them yet or they just came out today. MBAM didn't find it, Defender isn't finding it, Norton Power Eraser found some but not all, so it's one of those things that won't be definitive other than nuking everything which isn't a solution, especially since they could get reinfected. I'm trying to suggest we create a new workstation VLAN and slowly move people to it when they've been cleared and/or nuked.

I'll keep you updated and post screenshots and other findings as I can, because this could definitely be the beginning of something.